I believe we discussed this earlier. Use Google Voice. You will get your SMS via email.

Yes. You can also have your verification code sent to a land line via voice rather than SMS.
All these work around tactics that firms are requiring are exhausting.
Also it should be recognized that users who are unaware of the dangers of SMS are being ill served by Vanguard in this instance.

I believe we discussed this earlier. Use Google Voice. You will get your SMS via email.

Yes. You can also have your verification code sent to a land line via voice rather than SMS.
All these work around tactics that firms are requiring are exhausting.
Also it should be recognized that users who are unaware of the dangers of SMS are being ill served by Vanguard in this instance.

Concerns about security of SMS are overblown. Well over 99.999% of people will never have their phone number ported out by a malicious actor, a couple of well-publicized celebrity cases notwithstanding. For them, using SMS as a second factor is a HUGE improvement over not having a second factor at all.

That said, I think GV is a superior solution in many regards, and using it for SMS authentication is but one of them.

If you torture the data long enough, it will confess to anything. ~Ronald Coase

Concerns about security of SMS are overblown. Well over 99.999% of people will never have their phone number ported out by a malicious actor, a couple of well-publicized celebrity cases notwithstanding. For them, using SMS as a second factor is a HUGE improvement over not having a second factor at all.

Concerns about security are overblown until you, or someone close to you, becomes a victim.

- Russian population is 144 million.
- Average monthly salary in Russia is equivalent to $437.
- 99.999% of Russians are not hackers.
- The remaining 0.001% have nothing to lose and much to gain from emptying a Vanguard account of any Boglehead, including those who are not celebrities.

Add to that Ukrainians, Belorussians, Romanians and others with the skills, information and motivation to become orders of magnitude wealthier than they are now.

Victoria

WINNER of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

I believe we discussed this earlier. Use Google Voice. You will get your SMS via email.

Yes. You can also have your verification code sent to a land line via voice rather than SMS.
All these work around tactics that firms are requiring are exhausting.
Also it should be recognized that users who are unaware of the dangers of SMS are being ill served by Vanguard in this instance.

Concerns about security of SMS are overblown. Well over 99.999% of people will never have their phone number ported out by a malicious actor, a couple of well-publicized celebrity cases notwithstanding. For them, using SMS as a second factor is a HUGE improvement over not having a second factor at all.

That said, I think GV is a superior solution in many regards, and using it for SMS authentication is but one of them.

I apologize for not being clear. SMS while an issue in and of itself, is also often a factor in certain kinds of phishing attacks.
Using Google Voice or even a land line does nothing to protect you from this type of attack. And if I may quote myself:

Concerns about security of SMS are overblown. Well over 99.999% of people will never have their phone number ported out by a malicious actor, a couple of well-publicized celebrity cases notwithstanding. For them, using SMS as a second factor is a HUGE improvement over not having a second factor at all.

Concerns about security are overblown until you, or someone close to you, becomes a victim.

- Russian population is 144 million.
- Average monthly salary in Russia is equivalent to $437.
- 99.999% of Russians are not hackers.
- The remaining 0.001% have nothing to lose and much to gain from emptying a Vanguard account of any Boglehead, including those who are not celebrities.

Add to that Ukrainians, Belorussians, Romanians and others with the skills, information and motivation to become orders of magnitude wealthier than they are now.

Victoria

Victoria,

As a computer networking professional, and a Belarusian (as my friends and relatives like to point out, this is the preferred spelling), I remain utterly unconvinced that there is any measurable chance that any Boglehead's cellphone number will ever be ported out by a Russian hacker.

To try to convince them otherwise is to stock ungrounded fears that would potentially distract them from taking real-world security measures, including, yes, enabling 2FA, even if SMS-based.

That said, I am, again, a strong advocate of utilizing Google Voice numbers for that purpose.

Last edited by Vulcan on Fri Sep 21, 2018 11:16 am, edited 1 time in total.

If you torture the data long enough, it will confess to anything. ~Ronald Coase

Google has found security keys are a big improvement in security. Requiring employees to use security keys eliminated successful phishing attempts.

I hope we can agree that phishing is a very real concern for just about everyone even if SIM swaps and number porting are not.

As was pointed out earlier in other threads, browser-based password managers very effectively thwart phishing attempts without the hassles associated with hardware keys.

Yes they (password managers) can assist by alerting you to being on the wrong web page, but human behavior is a funny thing.

Google's results by testing thousands of employees using security keys is a strong enough recommendation for me.

I also find physical keys logically simple to understand. I know how to secure my house keys; my smart phone - I must misplace that thing at least once a week.

Also, using smart phones as the basis for 2FA can easily lead to circular dependencies when all of the moving parts are not thought out thoroughly. How many people have yet to figure out that needing a 2FA for their Apple ID means they might be locked out just when they need to engage the 'lost iPhone" application. I realize using Google Voice could address some of these issues if implemented properly. If being the operative word.

I get it, physical keys are a hassle for some people and they will eschew them. However if you are willing to endure the downside of using security keys it would be nice to get the full benefit of using them.

Given the length of this thread and the depth of technical discussion, we really need a hero to step up and provide succinct "best practices" guidelines in layman's terms. Maybe one "essentials" guide for the majority of people, and maybe another guide for those who want absolutely rigorous security (though maybe those people don't need a guide).

Given the length of this thread and the depth of technical discussion, we really need a hero to step up and provide succinct "best practices" guidelines in layman's terms. Maybe one "essentials" guide for the majority of people, and maybe another guide for those who want absolutely rigorous security (though maybe those people don't need a guide).

1. Enable 2FA on your Google account.
2. Enable Google Smart Vault (Chrome's built in pwd manager)
3. Configure all other accounts to send verification codes to your GMail and/or Google Voice, but even SMS is better than nothing.
4. Item 3 notwithstanding, don't click on any links in emails. Use browser bookmarks to go to sites of financial institutions.
5. Item 4 notwithstanding, if you did click a link, absolutely don't enter a password if your password manager did not enter it for you.

So, really, just following items 1-3 will make you better protected than, well, statistically speaking pretty much everyone else. And that is your goal. There is no such thing as absolute protection in IT.

Unrelated to this, do backup your own important data offline and offsite (external hard drive plus for irrecoverable things like photos and documents also high quality optical media where it can be stored for decades). Including periodically downloading Google takeout archive. But that is sort of a separate conversation.

If you torture the data long enough, it will confess to anything. ~Ronald Coase

Given the length of this thread and the depth of technical discussion, we really need a hero to step up and provide succinct "best practices" guidelines in layman's terms. Maybe one "essentials" guide for the majority of people, and maybe another guide for those who want absolutely rigorous security (though maybe those people don't need a guide).

1. Enable 2FA on your Google account.
2. Enable Google Smart Vault (Chrome's built in pwd manager)
3. Configure all other accounts to send verification codes to your GMail and/or Google Voice, but even SMS is better than nothing.
4. Item 3 notwithstanding, don't click on any links in emails. Use browser bookmarks to go to sites of financial institutions.
5. Item 4 notwithstanding, if you did click a link, absolutely don't enter a password if your password manager did not enter it for you.

So, really, just following items 1-3 will make you better protected than, well, statistically speaking pretty much everyone else. And that is your goal. There is no such thing as absolute protection in IT.

Unrelated to this, do backup your own important data offline and offsite (external hard drive plus for irrecoverable things like photos and documents also high quality optical media where it can be stored for decades). Including periodically downloading Google takeout archive. But that is sort of a separate conversation.

Earlier, I mentioned that a Vanguard client might fail to live up to their responsibilities under Vanguard's reimbursement promise while doing a bunch of other security stuff. The pledge requires:

"Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." I think this might perhaps include your router, not sure. Probably includes your password vault software if you use that.

"Don't use a public computer unless you know it has up-to-date security and you can log off completely."

"Review the account-related information we send or make available to you as soon as you receive it, such as account statements, confirmations, and changes to your mail preferences (such as an address change), bank information (such as the addition or deletion of a bank), and other services." Failing to detect and report fraud within a reasonable amount of time could be a problem.

Also, be prepared to tell the truth about your practices. Bogleheads have claimed or implied in other threads here that they would lie to Vanguard and the police about sharing their passwords with between spouses. Don't do that or, at least, discuss the matter with a lawyer before you do. Under the current responsibility list, you don't have to completely avoid sharing passwords. Any transactions done by the person who you share with is considered an authorized transaction.

Earlier, I mentioned that a Vanguard client might fail to live up to their responsibilities under Vanguard's reimbursement promise while doing a bunch of other security stuff. The pledge requires:

"Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." I think this might perhaps include your router, not sure. Probably includes your password vault software if you use that.

These are satisfied by allowing Windows Defender and Chrome to download and install latest updates.

Any home internet router acts as a firewall, but if you are on public wifi, they seem to want you to enable Windows Firewall.

I see no reasons for concern here.

If you torture the data long enough, it will confess to anything. ~Ronald Coase

Concerns about security of SMS are overblown. Well over 99.999% of people will never have their phone number ported out by a malicious actor, a couple of well-publicized celebrity cases notwithstanding. For them, using SMS as a second factor is a HUGE improvement over not having a second factor at all.

Concerns about security are overblown until you, or someone close to you, becomes a victim.

- Russian population is 144 million.
- Average monthly salary in Russia is equivalent to $437.
- 99.999% of Russians are not hackers.
- The remaining 0.001% have nothing to lose and much to gain from emptying a Vanguard account of any Boglehead, including those who are not celebrities.

Add to that Ukrainians, Belorussians, Romanians and others with the skills, information and motivation to become orders of magnitude wealthier than they are now.

Victoria

Victoria,

As a computer networking professional, and a Belarusian (as my friends and relatives like to point out, this is the preferred spelling), I remain utterly unconvinced that there is any measurable chance that any Boglehead's cellphone number will ever be ported out by a Russian hacker.

To try to convince them otherwise is to stock ungrounded fears that would potentially distract them from taking real-world security measures, including, yes, enabling 2FA, even if SMS-based.

That said, I am, again, a strong advocate of utilizing Google Voice numbers for that purpose.

Vulcan,

I apologize for the misspelling of "Belarusian". My first language is Russian and I have translated it without checking Google. I too was a networking professional and a cybersecurity professional in the latter part of my career. I also have spent enough time in the Bogleheads Forum to judge its spirit.

The Bogleheads are different from the American population at large in several key ways:
- The Bogleheads have more money to lose.
- The Bogleheads discuss their finances in this Forum and thus are more likely to become targets.
- Many Bogleheads are STEM, legal, medical and financial professionals. They have propensity for and satisfaction from detailed analyses and calculations, getting into the portfolio, insurance, tax, and other weeds that most other people avoid as a plague.

Thus, I would not worry about confusing the Bogleheads with excessive details.

Thank you for describing the Google Voice solution,

Victoria

WINNER of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

Earlier, I mentioned that a Vanguard client might fail to live up to their responsibilities under Vanguard's reimbursement promise while doing a bunch of other security stuff. The pledge requires:

"Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." I think this might perhaps include your router, not sure. Probably includes your password vault software if you use that.

These are satisfied by allowing Windows Defender and Chrome to download and install latest updates.

Any home internet router acts as a firewall, but if you are on public wifi, they seem to want you to enable Windows Firewall.

I see no reasons for concern here.

I checked and my Chrome and Windows Defender is automatically updating. That seems to be the default.

So, what's the deal with routers? Suppose you have a home router with WEP security and a usename=admin and a password=admin? Is there any reason for concern?

No concerns about j random public routers even if you are using your own laptop?

How about your workplace computer?

Seems like public computers would be a no-no, keyloggers and all that. How could one feel that a public computer could be safe?

If possible, you should remove your phone number from any account that could interest hackers. You can still link a type of phone number to those accounts, but we suggest using a VoIP number, such as a Google Voice number, that is SIM hijack-proof.

If you torture the data long enough, it will confess to anything. ~Ronald Coase

Though I do not have hard data, I think, statistically, one's risk of irretrievably losing their physical gold holdings is much higher than that of their permanently losing their Vanguard/Fidelity/Schwab holdings due to a cyber attack.

At any rate, I am not familiar with anyone being offered any guarantees against such a loss, even with caveats comparable to those offered by these companies.

If you torture the data long enough, it will confess to anything. ~Ronald Coase

The Bogleheads are different from the American population at large in several key ways:
- The Bogleheads have more money to lose.
- The Bogleheads discuss their finances in this Forum and thus are more likely to become targets.
- Many Bogleheads are STEM, legal, medical and financial professionals. They have propensity for and satisfaction from detailed analyses and calculations, getting into the portfolio, insurance, tax, and other weeds that most other people avoid as a plague.

With this in mind, imagine what could happen if a hacker breaks into the Bogleheads server and steals the phpBB users table. They probably will get user names, email addresses and hashed passwords. With that information, they could identify email addresses of high value users (i.e. those who post messages like "I just retired with $5M in my Vanguard account"). If they decide to target you, they might go after your Vanguard account or your email account or some other high value account using that email address.

It would be wise to use a different email address for your Bogleheads account than you use for Vanguard or any other important account. Don't use that email address at any other website that can tie you to your real identity.

With this in mind, imagine what could happen if a hacker breaks into the Bogleheads server and steals the phpBB users table.

Big yikes, hopefully there is a way to encrypt/hash this?

Encrypt does not move the needle for most threats (though it is still worth doing if you have a reasonable way to protect the key). Hash does. That said, in the world in which we live (ASICs, etc.), the classic approaches are tough. PBKDF2 with small #s of rounds is easier to defeat than ever. ARGON2 is likely the best option these days (even though it is still imperfect). Willing to bet this service does not use that.

From what I find, I think you will likely find that your email address and name (if not a current or past password) is already out there.

I think this is a good argument for regularly changing passwords.

1Password has a feature called Watchtower which checks for compromised sites and alerts you to change the password. It additionally checks for expired ssl certificates, weak passwords and the like. Anyway, when I see a red alert on a login, I attend to it. So far so good. Fingers crossed.

It’s also nice to be able to keep all my credit freeze links, letters and PINs in a central, safe location. I’m up to 6 agency freezes X 2 accounts each (me and my wife) so 12 to keep track of. Add another 150+ logins of various importance...

I wish some of those were real defects all the time. Many service providers have password/factor recovery procedures that are so weak that they become the exploitable weak link, undermining the attempts to implement robust authentication.